HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

201

202

203

204

205

206

207

208

209

210

Step 2: Configuring HP-UX IPSec IKE policies

Configure IKE policies as described in Chapter 4, “Step 4: Configuring IKEv1 and IKEv2 Policies”

(page 86).

In most cases, you can use the default IKEv1 or IKEv2 policy without changes.

Cluster IKE policies

The cluster nodes must have IKE policies with remote address specifications for the cluster clients.

Cluster Client IKE policies

The cluster clients must have IKE policies with remote address specifications that include the package

addresses.

Step 3: Configuring Authentication Records for Preshared Keys

This section describes configuration requirements for authentication records if you are using

preshared keys for IKE authentication. If you are not using preshared keys for IKE authentication,

go to “Step 4: Configuring Authentication Records for Certificates” (page 208).

The preshared key information must be the same on all nodes in the cluster. Configure authentication

records with preshared keys on one Serviceguard cluster node. The authentication records are

stored in the configuration database, /var/adm/ipsec/config.db , which you distribute to

the other cluster nodes.

Use the procedure described in Chapter 4, “Step 3: Configuring authentication records and

preshared keys” (page 77) to configure authentication records and preshared keys, with the

additional requirements described in the following sections.

Preshared Key Configuration on Cluster Nodes

Configure an authentication record with a preshared key for each cluster client. HP recommends

that you configure a unique key for each client.

The authentication records can also contain local and remote ID information. You do not have to

configure local ID information on the cluster nodes. You do not have to configure remote ID

information if the client is an HP-UX system, or a system from another vendor that uses its IP address

as its IKE ID.

Preshared Key Configuration on Client Nodes

On each cluster client, you configure an authentication record for each package address, using

the preshared key configured on the cluster for this client.

You do not have to configure local or remote ID information if the client is an HP-UX system, or a

system from another vendor that uses its IP address as its IKE ID.

Example

In Figure 23 (page 194), the cluster has three nodes:

• Node1 (10.1.1.1 and 15.1.1.1)

• Node2 (10.2.2.2 and 15.2.2.2)

• Node3 (10.3.3.3 and 15.3.3.3)

The 10.*.*.* network is a dedicated heartbeat LAN. The 15.*.*.* network is a shared heartbeat

and data LAN.

The cluster also has two packages:

• pkgA (15.98.98.98)

• pkgB (15.99.99.99)

206 HP-UX IPSec and Serviceguard